[clug] SSH attack
Steven Farlie
steven.farlie at gmail.com
Mon Jul 25 16:26:35 GMT 2005
Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
>
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from 66.235.160.30 port 60518 ssh2
>
> Could this explain the compromise someone on the list saw recently.
>
> I've created two lists from the attempts I've seen in /var/log/secure,
> URL's below. Hope this is helpful to some of you out there. The first
> number in the file is the count.
> http://tip.net.au/~sjenkin/hack-ipnr.txt
> http://tip.net.au/~sjenkin/hack-logins.txt
Someones been doing plain old dictionary attacks on ssh for a while now.
It seems to be reasonably effective. Even if it takes a bit longer than
a regular attack, you might just end up owning a unix box on a bit fat pipe.
http://it.slashdot.org/article.pl?sid=05/07/16/1615233
> BTW: I've read the man page for 'sshd_config', and it seems pretty
> sketchy to me on how to limit connections to sshd. All I found was:
> => AllowUsers USER at HOST
>
> Doesn't seem to understand limiting to subnets or denying from address
> ranges, say like Apache... Did I get this right?
Yep, that's about it. Most people should just set AllowUsers and enforce
strong passwords on those. Subnet and address range blocking is usually
best handled by firewalls.
--
Steven Farlie
More information about the linux
mailing list